Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Creating a New Interface Port - SSG140

    Posted 09-29-2016 10:19
      |   view attached

    First off, please forgive my lack of knowledge as we used to have a Network Admin that handled all this however he has since left the company and hasn't been replaced yet... so sadly it falls on me. As far as my knowledge level goes, I can handle the basics including policies and such, however I am struggling hard to wrap my head around why this isn't working.

     

    We have a Juniper SSG-140 firewall device that has a number of Interface ports configured:

     

    All addresses prefix with "192.168.":

    0/0 - Trust

    0/1 - DMZ

    0/3 - Shared DMZ

    0/6 - VOIP\VOICE

    0/7 - ***NEW INTERFACE***

    0/9 - Untrust\Internet

     

    Basically what I am wanting to do is create a new VLAN on our 192.168 network for Interfact 0/7 which will provide a gateway address of 192.168.55.254 (all other addresses are in the 192.168.x.x range). I have created the interface port as the attached screenshot and gone to what will be the new domain controller and setup a static IP on it as 192.168.55.200 with 55.254 as the gateway and I cannot get any conenctions externally. I have tried pinging Google's 8.8.8.8 IP but get no reply. I also setup 2 policies to allow HTTP, HTTPS and PING between the new zone and the untrust as well, being unsure if that was how it "routed" or knows it's ok to let the traffic out.

     

    Thanks much for any help!!!



  • 2.  RE: Creating a New Interface Port - SSG140

    Posted 09-29-2016 11:13

    Just to further on this I have been digging around a lot and "playing" in the firewall trying to fix it myself (still no luck sadly Smiley Sad ) and did verify that there is a Destination Route for:

     

    0.0.0.0/24     -->     External Internet Connection

     

    I figured this was the case though otherwise I wouldn't see how any of the other ports would be able to get out correct.



  • 3.  RE: Creating a New Interface Port - SSG140

    Posted 09-29-2016 12:00

    Default route should be 0.0.0.0/0.

     

    Also, in your policy, do you have NAT src set?  Automatic NAT will only happen between trust to untrust.  As this is a custom zone, you need to specify NAT src in your trust to untrust policy.

     

    You also mentioned VLANs.  Is the switch port set to access or trunk?  If it is trunk, you would need to create a subinterface with the matching VLAN.



  • 4.  RE: Creating a New Interface Port - SSG140

    Posted 09-29-2016 14:06

    Thank you for the quick reply rseibert, I will answer what I can to the best of my ability:

     

    Firstly, I typed incorrect, the route is in fact set as

     

    0.0.0.0/0     -->     External ISP (attached a screenshot showing it)

     

    For the NAT src, I assume that is the Source Translation in the Advanced Policy Settings? Currently it is not checked off for Source Translation, assuming I am looking in the right spot:

     

    Policy > Policies > "New Zone" to "Untrust" > Edit Policy > Advanced

    (screenshot attached)

    Also again, not sure if I am gathering this right when you say "need to specify NAT src in your trust to untrust policy" ... but we do not currently want Interface 0/7 (R&D) to access 0/0 (Trust) - we will do this via policy down the road... for now the only goal is to get Internet access via the new Interface 0/7 through 0/9 (already configured for other Interfaces).

     

    I assume that the VLAN setup is already configured properly because the different 192.168.x.x VLAN's can communicate just fine if I setup policies telling what to go where.

     

    Again, I apologize if any of this sounds stupid or I am making a mockery of it all... really out of my element and greatly appreciate the help!

     



  • 5.  RE: Creating a New Interface Port - SSG140
    Best Answer

    Posted 09-29-2016 14:17

    Yes, you would need to set the Source Translate under the advanced settings for the policy.  This will translate the traffic from 192.168.55.0 to the IP of eth0/9.  192.168.x.x are private networks and are not allowed to be routed across the internet.  As such, you must translate the traffic to a public IP address.  This is what that setting does.

     

    Again, I apologize if any of this sounds stupid or I am making a mockery of it all... really out of my element and greatly appreciate the help!

     

     

    Not at all.  This is how you learn.  We were all in your situation at one time.  🙂

     

    If this doesn't work, try the following debug to see how the traffic is being handled.

     

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB23844&actp=search#basicdebug



  • 6.  RE: Creating a New Interface Port - SSG140

    Posted 09-29-2016 14:28

    This did work, I am able to ping Google's IP and DNS with DNS entries in the server! Thank you much!!!!!

     

    Just to confirm I assume that if I have only set a policy to have the new zone (R&D) to the Untrust with "Any" that this is strictly the outbound communication and not opening up the server to the world... also given that there are no MIP's or Policies saying "yes, please send viruses inbound to this zone" (my attempt at comedic relief).

     

    Thanks again!!!!



  • 7.  RE: Creating a New Interface Port - SSG140

    Posted 09-29-2016 14:37

    That is correct.  However, if the person goes out to an infected site, then the virus is going to come in.  It will however not allow connections initiated from the untrust to R&D.



  • 8.  RE: Creating a New Interface Port - SSG140

    Posted 09-29-2016 14:54

    That's what I assumed from my limited Policies manipulation experience... so thanks!